NASA CR- 


(NASA“CE-1 l<7657} PFEVEETICN OF DESIGK FLAWS 
IN BOITLCCNFUTEE SYSTiKS (flcDonnell-Ecuglas 
Technical Services) 114 p HC $5.50 CSCL 09E 


N76-23889 


Unclas 

G3/61 41452 


PREVENTION OP DESIGN FLAWS 
IN 

MULTICOMPUTER SYSTEMS 


^ ^3 -'T) ~ (Lo o.o'/ /s 





PRICES SUBJECT TO CHMiGE 


M P/f C 
hlA S 9-/51 


REPRODUCED BY 

NATIONAL TECHNICAL 
INFORMATION SERVICE 


U.S. department of commerce 
SPRINGFIEU). VA. 22161 



NOTICE 


THIS DOCUMENT HAS BEEN REPRODUCED FROM THE 
BEST COPY FURNISHED US BY THE SPONSORING 
AGENCY. ALTHOUGH IT IS RECOGNIZED THAT CER- 
TAIN PORTIONS ARE ILLEGIBLE, IT IS BEING RE- 
LEASED IN THE INTEREST OF MAKING AVAILABLE 
AS MUCH INFORMATION AS POSSIBLE. 



APPENDIX 

APFE®IX 

APPE^TDIX 

APPENDIX 

APPENDIX 

APPENDIX 

APPENDIX 

APPENDIX 

APPENDIX 

APPENDIX 

APPENDIX 

affe:©ix 

APPENDIX 

APPENDIX 

APPENDIX 

APFFDDIX 

appendix 

•APPENDIX 


I 

II 


III 


Page 

ELEDIKCSTATIC L'^TErPERE^rCE 30 ' 

X-IC CC^-tr'JTEP. SiSlEK . . , 41 


IV 
V. 
VI 
VII 
YIII 
IX 
. X 
XI 
XII 
XIII 
XIV 
XV 
XVI 
XVII 
XVIII 


L-lOU OC/PUTEr. SYSTEM 
B~1 CCMPUTER SYSTEM . . 


- DC-10 DIGITAL R4D Cd-aPUTEK SYSTEM '55 






« ♦ » « ^ # 


COS^UTER SYSTEM . . 

?-80 oa^T'UTER SYSTEM . 

F-lp CdCFUTEF. SYSTEM » 

P-A FLY-3Y-V.'IES SYSTEM 
F-1^ Od-S'L-TER SYSTEM » 

P-111 Cd?UXER SYSTEM . 

S-5A Od-CPUTSR SYSTEM . 

TASS CD>i?UTER SYSTE}! . 

YP-1£ -Cd-fFUTER SYBTD-: . 

ADVAXED CC?TUTEr SYSTEP5 
SHUTTLE MAIN ENSTX CG-S^UTEE SYSTEM .... 91 

SATURN V instrument- ITaT CC2-[FUTER SYSTEM . 93 

C-RCUDD COJ/PUTHE- SYSTEMS 


a • « « 


49 

52 


57 

60 

70 

72 

74 

76 

78 

81 

85 

88 




98 




DRIGINAU PAW 
'm POOK, gS 






iv 



■ LIST OF FIGURES 


Figure ' • Page 

. 1. SEKXCOMDUCTOH DEVICE OPERATING LEVELS ......... 7 

2 . GENERATED NOISE STRENGTH VS FFS:iUSNOy 36 

5. KORiMALIZED NOISE SPECTRUM FROM AIP.CP.AFT TRAILING EDGE . 37 

A.- TYFICAL- DC -10 - FOUR CHANNEL SYSTEM ^^^3 

5. DC-IO SI 2 /PLIFISD AUTOMATIC PILOT BLOCK DIAGRAM .... 44 

, 6. DC-10 AUTOMATIC PLIGHT CONTROL SYSTEM 43 

■7. L -1011 PLIGHT CONTROL SYSTEM 5X 

8. B -1 PLIGHT CCNTRpL SYSTEM . 54 

9 * P -80 DIGITAL PLY-BY-NIRB SYSTEM 1 -SCHANIZ'ATIQN ..... SZ 

10 . DIGITAL SYSTEC-l FAILURE DETECTION AND REPORTING SYSTEM . 64 

11 . S- 5 A DATA I-Ui-NAGSl-lENT SUBSYSTEM ’ , . . 80 

12 . ’ TAGS FLIGHT COriROL SYSTEM . 83 

t 

. P 

15. ' TAGS CO^IFIGURATION BLOCK DIAGRAM 84 

i 

1 ^.’ YP-I6 FLIGHT CONTROL SYSTEM . ..' ♦ 87 

15. ADVANCED STUDIES CANDIDATE SYSTEM USING QUAD CCMFUTSRS. 90 

16. INSTRUMENT UNIT NAVIGATION, GUIDANCE AND CCNTRCL 95 

SYSTEM BLOCK DIAGRAM 95 

17. INSTRUMENT UNIT LAUNCH VEHICLE DIGITAL COMPUTER 

(LVDC) SiaTCH SELECTOR INTEBCCNNSGTICN DIAGRAM . . . . • 97 



05 ' POO’R 


V 



Table 


LIST OF TABLiS 


Page 

8 


I. ELECTRONIC DEVICE SUSCEPTIBILITY LSVEIS 

II. R.4DAR INTSRFERI2ICS SaT.OES V’ 11 

III. C0>3^a?E>r? SUSCEPTIBILITY TO LIOHTNING 13 

IV. CavfPUTBR SNITCHING AFPFiOACKES 20 



vi 



LIST OF AORONl^S AND ABBREVIATIONS 


A .. 

AFC 

AMPS 


c •... 

CADC 

COATS 

ODP . 
CilDS 
CO® 
CSK . 
CTS . 


db 

dbw 


DDA 

DDSU 

E ... 

ECU 


Area 

Aut Oita tic flight control 
Aoplifiera 

Acceleration, normal 
Capacitance 

Central Air Data Ccasputer 
OoEmand Ocsumuni cat ions and 
Telemetry System 
Central Data Proceaaor 
Commands 
Condition 

denmand Service Module 
/ 

Control Transfer System 

Distance 

Decibel 

Power in decibel relative to 
one vfatt 

Digital differential analyzer 
Display Drive Select Unit 
Permittivity 
Electronic Control Unit 
Energy of one opark diecharge 
for flashover 


Vil 



Permittivity of free space 
Snergy of one eperk discharge 



for punch-through 

f 4 Frequency 

FCO Flight Control System 

FO/PO/FS Fail operational/fail 

operational/fail safe 

ft 4 . 44 , 44,4444 . .4 , 4444 FOet 

GHz Gigahertz 

GSO Goddard Space' Center 

10 Integrated circuit 

IIS Instrument Landing System 

INS ^ Inertipl Navigation System 

INST Instructions 

i 

lOP .......................... Input output processor 

lU Instrument Unit 

JSC .......................... Lyndon B. Johnson Space Center 

KHz Kilohertz 

KSC J ohn F. Kennedy Space Center 

KY Kilovolts 

KW Kil cvratt 8 

IX3C launch Control Center 

IH Left hand 

lunar Koit>le 


vlii 



LYDA Launch Vehicle Data Adapter 

LYDO Launch Vehicle Digital Oonputer 

LVDT’a Linear variable differential 

transforn:er8 

LUT Launch Umbili cal Tower 

a Meter 

MCC Miosion Control Center 

JcKz .'.... Megah erta 

MOOR ......................... Mission Operations Control Boca 

KCS Metal oxide silicon 

K03P2T Metal oxide silicon field 

- • • , effect transistor- 

MSBLS Microwe.ve Scanning Beaa Landing System 

msec I'lilliseconds ^ 

t 

NASA National Aeronautics and 

Space Administration 

NM Nautical mile 

P Precipitation 

PAPAM. Performance and Failure 

.Assessment Monitor 
pk Peak 

PSU/SP Parameter Setting Unit/Statua 

Panel 


lx 



. 

RiD 

KP 

HR 


Charge in cculom^is 
Research ard devslocmen'b 
Fvadic frequency 
Right band 


RSI Reusable surface insulation 


RTCO Real ‘Ilae Cczputer Ccaplex 

SAS Stability Aug:centation Systsa 

SIP Strain Isolation Pad 

so* IS*..**.. SotAare isile 

♦ ^ 

SyS Systsrs 


TAOAN Tactical Air Navigation 


TAGS .. 
TILS 

•TM 

TlGl *.'* 
TPS ... 
STi-SCLS 

a *.,. 

/ 

// *.,. 

/'s 

yC'V **.. 


Tactical Airborne- Guidance System 

Tactical Instrument Landing System 

\ 

Telemetry i 

} 

Triple modular redundancy 
Thermal Protection System 


Pitch rate 
Hicro 

yicrcseconds 
Kic revolts 


VvasiNHJ 

Of rooE (joAura 


X 



SYMOFSIS ■ 


Gens)ric dosign flaws of redundant computer systcEs can 
result in undesirable operetion, such es monopolization of 
computer controlled data buses by a faulty element, sccidental 
system shutdown due to transients, erroneous xsxory alteration, 

f 

lose of control systeis equalization, and software oversights- 
vMch can be cciurron in all redundant strings^ 

History has> shown that generic design failures have occurred 
on aerospace vehicles*. On aircraft, these problems have resulted 
.in simultaneous malfunctioning of multiple redundant computers 
requiring faultdown to the mechanical cable flight control Bystem* - 
The system features that cause generic design fsilurss are sus- 
ceptibility of electronic circuits tc electronagnetic or electro-* 

' ' ' ' h 

static energy, susceptibility of interfacing parallel redundant 
electronic strings to multiple string failures, and computer 
programairtg overaiglits causing ccsECn failures within each 'string. 

The low -power solid state integrats-d circuit (IC) devices • 
are rauch more- susceptible to extraneous electromagnetic and 
.electrostatic interference than their earlier counterpart, the 
discrete transistor. This means that special precautions 'must be 
taken to preclude generic design, failures of these susceptible 
electronic components on the Shuttle. 'Analyses indicate that the 
Kicrowave Scanning Beam Landing System (MSBLS) ground station 
will mosf probably not interfere with the electronic circuits* 


PASS IS 

, '>7 POOE 



Kcvever, the high pover AN/FFS-16 rsdar tracking syeteia will 

JT 

interfere with the electronic circuits' unless about 6C decibels 
(db) of attenuation (vehicle okin plus cable) tc interference is 
achieved. 

Experience has shewn that vehicle skin will attenuate RP 
energy by ebcut I 5 db without special design considerations; 
while ^0-^5 of skin attenuation can be achieved, (at least on 
Eirall vehicles) with special design considerations. Braided type 
cable shielding can typically provide up to ^0 db of shielding tc 
KF energy -with special design ccnsideratlons’"(e.g. ^60 degree 
seals,, similar to waveguide connecters, at the connectorB)» 
Lightning is,* however, a more difficult noise source to 
protect against thsci radars* Shielding levels of JO to 100 db 

- * t 

are required to provide the Kost sensitive ICs protection against 

/ 

lightning. ^ ^ ‘ 

The nechanis3 for pickup of electrcnagnetic energ3' is 
through external skin cracks (e.g. holt holes even with holts 
installed) and internal cable bundles. Therefore, better 
shielding of the black-box enclosure is generally of no help. No 
atteept was made in this report tc estimate or calculate the 
amount of skin and cable attenuaticn to be provided, by the current 
Orbiter design. However, cut-cute in the metallic. skin that are 
fitted with low dielectric constant material for antenna windowa 
cculd reduce the skin attenuation tc near zero db, unless the 


xii 



design of ths antenna and antenna eysten: aounting structure 
precludes leakage of K? energy to the inside of the Orbiter* 

Skin vith virtually no attenuation to HF redistion could ssake the 
Orbiter electrical ocrrpcnents very susceptible to RF eignala. --* 

The Orbiter ie judged uniquely vulnerable to electrostatic 
charge hezards because cf the high electrical resistivity and 
large surface areas of its Reueable Surface Insulation (BSl) 
vhich is in proximit:/ to inherent Ij'' susceptible solid state 
digital avionics eo^uipment. Additional NASA Avionics Systera 
Engineering Division effort has been initiated to further define- 
this probleis and to generate solutions. 

An aircraft cor*puter switching philosophy used on operational 

systenis has been distilled by surveying existing systems. Key 

points cf this phllcscrhy are: j 

/ 

a) Plan for failures -by using a deterministic design 

• .approach that a‘ssumes failures will happen (Murphy^s 
Law)* Do net rely on a reliability number (such 
BB ♦999S) alone# 

b) Functional redundancy is preferred to* hardware 
redundancy only# 

c) Kecenfigure by turning devices off rather than on* 

d) Avoid synthesis of a viable system from several* 
strings# The pilot needs an easily unde^rstandable 
equipment configuration* Ease’ef understanding is 


MGINAU PAGE IS 
iOP‘ POOR QUALmr 


xlii 



best achieved by switching entire strings of electronic 
equipaent. 

e) Oonfirm failures before disconnecting equipment when 
possible to preclude using up configuration options 

, too fast and to allow the crew to function in the 
decision process. 

f) Hermit several levels of degraded performance to 
preclude using up options too fast. 

.Items a) thru d) appear to be applicable to the Orbiter while 

. ■ tr 

e) and f) may not he applicable due to:the greater time criti~- 
callity of the Orbiter functions and the higher Orbiter perform^ 
anpe requirements. 

. Table IV on pegs 20 provides a summary of computer switching 
approaches for sczne of the existing aircrefb and- spacecraft 

• f 

Eyg"tei 2 s surveyed. / Xt ves fcund that most systems are designed to 
prohibit generic failures and/or are not similar enough -to the 
Shuttle .systems to merit further study. This is indicated frcm 

' t 

the following' systeis characteristics. * . ^ 

a) ‘ Some systems use dedicated computers for different 

functions. 

b) . Ifeny systems are simplex in nature. 

c) Some systems use manual breek— befors-make switching 
for computers . 

d) Kany syptscs are all enalog in nature and many 


OF POOR 


■n ■ 


xiv 



use no data buses. 


It vas found that the airborne systems were more apolicable 

r 

than the ground systems. In particular the DO-10 with its 
functional redundant performance and failure assessment monitor 
(PAPAK) system and the S-JA with its cross strapped computer 
systems, are of interest. 

Examples of: computer system shutdovras due to transientai 

errors in parallel computational strings due to failures of * * 
interfacing elements, and multicomputer Bhutdovns due to computer 
programming oversights vere found in the course of this study* 
However, no examples were found of monopolizationof data buses 
or erroneous tnemorj^ allocstion due to generic system failures* 

Uo aircraft systems were found that use an integrated, data 
bus approach to handle both flight critical functions and most 
other maior vehicle functions, as done on the Crbiter* The only 
aircraft found tha% plans to use e »fly--by-wire control system 
in its operational phase, without the availability of a mechanical 
cable backup flight control system, is the new YF -16 light weight 
fighter .aircraft • This aircraft has been flov;n hundreds of 
flights vdthout accident due to failure of the all electronic 
flight control system* 




1»0 Introduction- - - • 

This study vas conducted at “the request of and under the 
direction of the NASA Avionics System: Sngineering 
Division. The purpose of the study was to investigate multi- 
ccxaputer configurations and redundancy insnsgeffient techniques to 
deternine methods to prevent and/or treat generic design flaws. 
Foi* the purpose of this report generic design failures are de- 
fined as undesirable operations cf redundant computer configura- 
tions which are typified as follows; 

' -e-isonopolizEtion of all or many data buses by a faulty 
ccaaputational element in one or more strings 
o accidental subsystea/systesi shutdown due to transients 
. e erroneous memory alteration (overlay) due to • 
crosstalk between computers 

!■. ■ 

o loss of control equalization where eqxiali.zation. is 

S 

required for normal operation 
b software oversights which can be common in all 
redundant operational strings 

This report covers the first portion of the psychotic ccm- 
.puter study in vfhich generic flaws are defined and the prevention 
and treatment of generic design failures are discussed. The 
computer configurations and redundancy management of existing 
aircraft, spacecraft, and industry computer systems are also 
reviewed. The purpose of this review is to assimilate the best 


1 - 



existing ccaputer system philosophy guidelines for use on the 
Shuttle program* The existing systems' are investigated to deter- 
mine ccraputer redundancy configurations, redundancy switching 
criteria, and immunity to generic design flaws. - — 

The second portion cf the generic design flaw study is to 

« 

include an Orbiter redundant computer analysis to define and 
solve specific Orbiter generic design problems. This portion of 
tho study is to be conducted after completion of this report 
with the results being in a separate report. 

This report is mainly comprised of information previously 
published in preliminary working papers. The source of data for 
this report includes both written, reports from and telecons with 
the appropriate companies and engineering staffs responsible for 
the investigated aircraft, spacecraft, and industrial computer 

i 

4 

3 

systems. Vritten references used are included in the list of 
references.. 

History has shown that computer generic design flaw's have 
occurred on aerospace vehicles. On aircraft these problems have 
resulted in malfunctioning of the multiple redundant computer 
systems requiring faultdown to the mechanical cable flight 
control system. For example, on TA.GS (Tactical Airborne 
Guidance System), the entire computer system (three, computers) • 
shut down due to a software design oversight requiring reversion 
to mechanical cable flight control to preclude a crash. The 


j^’^t-PAQais 
PCX)!! <QUALHY 


2 - 



Boftvi-are vss not designed to handle a second computer failure 
before three computer' computational cycles elapsed due to an 
oversight in the computer program leaign. On the 30-10 the quad 
redundant analog flight control eyatem comparators were unable, 
to detect a bias in the. yav; flight control channel since all 
channels included the bias due to a part failure and a design 
weakness. However, an independent monitor system, the performance 

^ i 

. and failure assessment monitor (PAFAM), detected this generic 
failure allowing manual takeover using the mechanical cable 
system. These generic failure examples were found in the course 
of this study and do not represent a complete listing. Other 
failure examples are included in other report sections. A 
special survey to find failure examples was not made since the 

time to document more failures vmis' not felt to be warranted and 

/ 

K ♦ 

in most instances manufactures are reluctant to -Velease any 

I' 

information regarding failures of their systems. 

Examples oft computer system shutdowns due to transients, 
errors in parallel computational strings due to failures of 
■ interfacing elements,* and multicomputer shutdowns due to computer 
progremming oversights were found in the course of this study. 
However, no examples were found of monopolization of data buses 
or erroneous memory allocation due to generic system failures. 

No aircraft systems were found that use an integrated data 
bus approach to handle both flight critical functions and most 


- 3 - 



other csajor vehicle functions, ae done on the Orbiter. The only 

* 

aircraft found that plans to use a fly-by-wire control system in 
its operational phase, without the availability of a mechanical 
cable backup .flight control system, is the new YP-16 light weight 
fighter aircraft. This aircraft has been flown hundreds of 
flights without accident due to failure of the all electronic 
flight control system. 

The terms ‘generic design failures" and "generic design flaws'* 
used in this report are considered to be synonymous with the 

, tr 

terms psychotic operation/behavior and psychotic problems 
respectively. These alternate terms have been used in seme .of 
the earlier working papers on this same subject. 

Paragraph 2.0 of this report discusses design features that 

* I 

- are subject to seneric design flaws and Paragraph 5*0 includes 

I 

a summary of philosophy items, pertinent to the Space Shuttle 
Orbiter, that were obtained from ari investigation of existing 

computer systems. Paragraphs A«0 .and 5*0 include the recommen- 
dations and conclusions. The Appendices include more detailed 
information on electrostatic interference arid additional and 

' t 

more detailed information on individual computer systems Investi- 
gated . 


ORIGINAL PAGE IS 
OE POOR gUALTHI 



2.0 Design Features Subject to Generic Deeign Failures 

Before investigating existing computer systems, a b’rief look 
into system design features that are subject to generic design 
failures and design practices .that .can alleviate chances of 
these failures is in order. Integrated circuit (IC) components, 
interfacing parallel redundant strings, and computer programs 
can all be subject to generic design failures. 

Additional hardware and software redundancy of id.entical 
design will "normally not help tc reduce the generic design failure 

* ' . V 

effects.- This is due to the generic nature of these failures 
>?hich- affect more than one or all of a given type of line . 
replaceable units simultaneously. 

2.1 Integrated Circuits 

Digital avionic systems employing efficieni^- but low power 
solid state 10 devices are much more susceptible toextraneous 
electromagnetic and electrostatic interference than their 
earlier counterpart,, the discrete transistor. This demands that 
engineering design attention be given to natural and maninade 
environmental disturbances to negate the effects of these dis- 
turbances on very sensitive 10 devices. 


- 5 ~ 



Figure 1 and Table I indicate that the semiconductor 
development trend is toward increasingly lower power operating 
levels and greater noise sensitivity as the population of active 
elements per unit area of substrate becomes larger. Vulnera- 
bility to high voltage, low energy transients is also- indicated 
by the fact that factory personnel vrorking with 10 devices 
, are often reauired to wear wristband grounds to avoid 
eq^uipment burn-out from discharge of clothing charges. 

2.1.1 Electromagnetic Sources of Interference 

Two prime examples of extraneous electromagnetic sources 

trbat can affect sensitive solid state 10 devices 

ere ground radar scanning of the Shuttle and ' lightning strikes# 

\ * - 

Both of these interference sources are difficult to control and 

reouire consideration of sufficient shielding in, the system design. 

* ■* 

2. 1.1.1 Electromagnetic 'Energy Transfer Kechanism 

A manner in which radiated energy can get into IC devices is 
as follows. Radiated energy impinging on the vehicle penetrates ‘ 
through the surface via cracks, bolt holes (with bolts installed) 
.or ether openings. Once the energy has penetrated the 
vehi'clea' outer skin the avionic cable bundles act as an antenna. 
The cables serve as a transducer, which changes radis.ted energy 
to conducted energy, which is then conducted to the IC devices. 


EJ PAGE IS 
POOR QUALITY- 


- 6 - 



. OPERATIKG POWER RANGE - WAHS * 



TRANSISTORS PER CHIP 


FIGURE 1 ~ SEI-ECONDUCTOR DEVICE OPERATING lEVELS 


-. 7 - 


HINIMU;-! SHIELDING REQUIRED - OECIDELS 


TABIE I 


EIECTRONIC DEVICE SUSCEPTIBILITY LEVELS 



KAIFUMCTION LEVEL 

BURNOUT * 

Transistor 

50 nrill.watts 

t 

50 vratts 
. (^IDO test data) 

Typical 

Integrated 

Circuit 

10 to * 100 milliwatts 

(not dotennined) 

mSFET 

Integrated 

Circuit 

0^3 to 3 ndcrov/atts 
(esticaated) 

4 to 40 ndlliv.’atts 
' (estioatectj 


OEIGINAIj PAG® IS 
OS' POOR JlUAim/ 


- 8 - 





An unbleaished akin (no fasteners, no cracks, or openings) 
typically provides approximately 100 db of isolation to RF 
•energy* However, an unblemished skin is virtually not practicable 
It has been found that the bolt holes with bolts installed and 
tightened firmly, reduces skin shielding from about 100 db to 
about AO db* On such programs as Gemini and Harpoon 
Missile, it was found through tests-that the external skin pro- 
vided little attenuetion (typically 10 to 15 db) to radiated 
energy impinging oii the vehicle without specif ically' designing 
for HP protection. These tests were performed in the 5 to 9 GHz 

range. _ — 

Skin shielding could be as low as zero decibels if dielectric 
windows for sensors are employed. On the Harpoon Missile, the 

surface was radiation sealed by using special gaskets and 

/ 

processes to increase the RF attenuation produced hy the skin. 

i 

\ 

Skin attenuation was increased from’ 10-15 db to A 0 -A 5 db. 

I 

Braided type shields on avionic cables can typically provide frcm 
zero to 5® db of shielding to RF energy depending on the shielding 
design. This shielding adds to the attenuation provided by the 
skin* On the Harpoon Missile it was found that to achieve 20 to 
50 dh of attenuation from braided shielding' required a ^60 degree 
seal, similar to waveguide connectors,, at the connectors. 

Thirty db of skin attenuation plus ^0 dh of cable attenu- 
ation would provide enough isolation- to be effective against most 




-9- 



radars as indicated in the following paragraphs. Greater 
isolation, however, may be required for lightning. 

2. 1.1. 2 Effects of I-ISBLS and AVFPS'16 Radar 

The Shuttle relies on ground generated RF 'signals frota the 
KSBLS for autoaatic landing; and it is highly desirable to tracl? 
the Shuttle with surveillance radars at least during ascent 
and lending. 

. Table Ila indicates that the radiated power- from the ground 
{>3BLS/Tacticsl Instruirent Landing System (TIl-S) station, seen at 
the Orbiter, ie in the microwatt range. Figure 1 indicates that 
the most sensitive KCSPST IC’s also operate in the microwatt 
range'. Therefore, to preclude circuit malfunctions, with a 10 
db margin of safety, due to the MS3LS ground radiated power, would 
require 10 db of RF isolation. Thia 10 db of isolation should 

r 

1 * 

be easy to achieve as indicated in the above paragraphs. 

i • ' 

Table Ilb indicates that the maximum radiated- power from 
the AN/?PS-l6 radar, seen at the Orbiter, is in the milliwatt 

range. This would require attenuation of about 60 db, vehicle 

/ 

skin plus cable, to assure satisfactory operation of the most 
sensitive 10 devices, assiming a 10 db margin of safety. 5Tote, 
that this is for the Orbiter at one nautical mile from the radar 
and that the attenuation required would decrease by 6 db each 
time this range is doubled. 

The 12SBLS ground station and the AN/PPS-16 radar v/ere selected 


- 10 - 



TABLE II 


RADAR INTERFERENCE SOURCES 


a) 


sA 


MSBLS/TILS Interference Sources 


• l-SSBLS/TILS Transmitter Power (2Klf/ pk) 33dtn^ 

1'SBLS/TILS Transmitter Antenna Gain, Grormd 29db 

Free Space Loss (15.3GHz, ” 12ldb 

* Power Received at the Shuttle at INK range ^ - 59dbw_/ 


or 1.25 X 10' 


•- b) AN/FFS-16 Radar Intereference 


AN/FPS-16 Transmitter Power (1.0 W pk) 60dbw 

AN/FPS-16 Circuit Losses — 2db 

AN/FPS-16 Antenna Gain . ■ ■ A5db 

Free Space 3x)ss (5.6 GHz, URl) ‘ - 113db 


• Povrer Received at the Shuttle at range ^ 10db^■^ 

or 100', 000 X 10“* 


Notes : . . 

* Flux density ol 0.037 watts/sq. a, at Orbiter 
** piux density of 465 watts/sq. m. at Orbiter 


.««.P00R gDtojj. 


watts 


watts 


- 11 - 



ae examples to determine if such ground based radiators could 

m 

possibly cause Orbiter circuit aa If unctions* It appears that 
high power radars cculd cause circuit malfunctions if sensitive 
electronic circuits are used and if the Orbiter skin and eyionic 
cable bundles provide lov/ attenuation to RP energy. A more 
detailed analysis of all radiation sources that' may irradiate 
the Shuttle, and an analysis of Orbiter skin end cable bundle 
attenuation to RF energy would be required to determine the im- 
pact of ground radar scanning the Shuttle Orbiter. 

2. 1.1. 5 Effects of Lightning 

Table III indicates that high shielding levels (70-100 db) 
are required for 10 protection against lightning. 

Few serioua accidents on commercia'l aircraft have been attributed 
to lightning because they have heavy metallic surfaces, inherent 
flight stability, .and safety of flight control sj'stems free of 
susceptible e.vionic components. 'The Orbiter is inherently un- 
stable and it has not been demonstrated as yet that the system is 
free of susceptible avionic components. Therefore, the effects 
of lightning strikes on flight control functions. should be 
considered in detail on the Shuttle. 

2.1.2 Electrostatic Sources of Interference 

In addition to electromagnetic energy sources there are 
electrostatic charge and discharge mechanisms that have resulted, 
in a variety of problems' on aerospace vehicles. The Shuttle 


- 12 - 



TABtE III 


COMPOl'lENT SUSCEPTIBILITY TO LIGHTNING 

t 


DEVICE 

>Iinimum Shielding Required to Protect Against 
lifthtning 

Bipolar 

Integrated 

Circuits 

(100 

transistors 
per chip) 

70 db 

>103 (tinipolar) * 

Integrated 

Circuits 

(5000 to 1 

10,000 
transistors 
per chip) 

lOOdb • - 



-* 13 - 



Orbit er is judged uni-quely vulnerable to electrostatic charge 
hazards because of the high electrical resistivity and large 
surface areas of its RSI which is in proximity to inherently 
susceptible solid state digital avionics equipment. 

Exploratory laboratory tests and analytical predictions 
of nSI electrostatic behavior suggests a . ' ■ ' 

ouch oore severe impulse noise environment for the Orbiter than 
commonly exp eri'enced in flight on conventiorml metallic skinned 

airplanes. The electroststic potential is acquired through 

• * 

frictional charging by particulate matter in the atmpsphere 
(princ^ipally ice or rain carticles ^ engine- exhaust 

chargings or by thunderstorm crcss^-fields* Conventional aircraft 
use sharply pointed *^static dischargers’^ located in. high aero- 
dynamic flow regions near the extremities of the; aircraft to 
bleed off excess cliarge in a controlled manner, virtually elimi- 
nating the electrcstetic interference problems. Vfithout the 
dischargers, the static charge may build up until the vehicle is' 
-charged to a very high potential; on the order- of hundreds of 
thousands of vol.ts. However, with static dischargers and con- 
ventional metal structures, the charge rapidly bleeds off and 
•maintains the vehicle at an acceptable lov; voltage level. 

Two problems are immediately obviouo in the Orbiter design 
with its dielectric (electrically insulated) RSI coating. 

The first in that static charge will build up on the 





dielectric surface and cannot lileed off because the dielectric 

€ 

vdll not conduct the charge to a common discharge jjoint where a 
static discharger can be located. With the smooth contours of 
the RSI end the large surface area, voltageo may build up on the 
exterior surface in the mega volt range with very significant 
energy. . The second problem is the- design of static dischargers 
which can withstand the dynami c- launch and entry heating environ- • 
meyits. 

. ■ .-’RF interference due to uncontrolled static- 
charge results in precipitation— static in radios as well as 
logic errors in digital circuits. Flights of both the Kinuteman 
and the Titan have shown, that airborne computers- used for guidance 
and coamjands are extremely susceptible to a single discharge of 

► I ■ ' 

i 

very low-energy static electricity. See Appendix I for a more 

thorough description of.: avionic responses to a precipitation 

• ' \ 

•static environment, other threats from electrostatic charges, 

' ■! i 

and electrostatic noise spectrum end magnitudes. 

■k 

2.2 Interfacing Parallel Redundant Electronic Strings 

Multiple ‘computational strings often interface at compara- 

^ I - 

tors/ voters and in equalization circuits. Some typical develop- 
ment practices which help to preclude generic failures due 
• to such interfaces are : • • ' . 

a) Comparators that are comparing computations from more 
than one channel should have failure modes such that 




- 15 - 



a failure is obvious. A "fail obvious" 
comparator is needed* 

b) Tfibenever infornation from two channels flows within 
the same box (e*g. inforaiation to comperstors), wiring., 
and connector pin eeparation should be such that the 
two lines cannot be shorted together# Shorts 
between tvro channels should not go undetected* 

c) Cornparisons should be mad© at the end of the control 

strings# However ccmparisons can also be made at 
other points* . v 

d) Recognize that failures can be altitude or other 

. flight parameter sensitive* Per example, a failure 
may be simulated at 100 feet altitude with no 
deleterious effects; but at 5^0 feet altitude, the 
failure could cause catastrophic effects# This is 
• . because the failed condition ie present for a 
longer period of time before landing* 

Techniques used for equalization of commando in the parallel 
and redundant computational strings are of prime concern on the 
Orbiter* This io because small differences in signals between 
computational strings have a* tendency to propagate and result in 
divergent commands because of integration processes in* the system* 
This divergent tendency can he overcome by proper equaliz^ation 
end/or synchronication techniques* However, these techniques ’ 


'mmKn page 

SD? POOR QUAUry 


~ 16 - 



tend to add conplexity, reduce reliability, and add coeputa- 
tional string interface pornts tbat are subject to generic 
design failures* Therefore, it is important that the final 
solution to the equalization problem be proven free of generic 
design flaws* 

2*5 Computer Programming . 

In addition to normal computer program verification, the 
following verification techniques should be used to lessen 
chances of psychotic opereticn due to computer programming oversights* 
. a) Verify effects of sequences or strings of failures* 

On psst programs (e*g* TAGS) certain timing of failures 
relative to each other have caused shutdown of all 
computer syatema. All possible reversionary modes and 
their effect must be investigated, 

b) Pay pa rticular attention to those computations tha"^ 
are not perforajed every computational cycle. The 
effect of errors in these computations tend to 
be overlooked* 


c) Verify times for which computers will wait for data* 
For example; are there instances in which one or 
more computers could be running with old data and one 
or more other computere running with nev/er datat 

This could cause comparators to indicate a non-oompars* 

d) Reco gnize that checking out the ccmputer program is 
different from checking out the system design — both 




5*0 Philosophy Itess of Existing Gonputer Syetea 
5»1' Aircraft Ccaputer System Philosophy 

Both flight and non-flight computer systems were investi- 
gated* However, the airhorne systems were found to have more 
applicability to the Orbitsr computer systeca than the ground 
based systems. A computer system design and switching philosophy 
was generated from the information received. It is felt that this 
philosophy represents typical computer oviltching philosophy for 
esisting operational aircraft. Key points of this philosophy are; 

a) Plan for failures by using a deterministic design approach 
that assumes failures will hsupen (’Murphy's Law)* not 
rely on' a reliability number (such as «999S) alone. 

b) Functional redundancy ie preferred to hardware 

redundancy only. ^ 

c) Reconfigure by turning devices off. rather than on. 

d) Avoid synthesis of a viable system from several 
strings. The pilot needs an easily understandable 

. configuration. Base of understanding is best achieved 
by switching entire strings of electronic equipment. 

. I 

ej Confirm failures before disconnecting equipment when 
possible to preclude using up configuration options too 
fast and to allow crew to function in the decision 
process . 


- 18 - 



f“) Permit sovsral* levels of degraded performance to 

preclude using up optiona too fast* 

These system philosophy points are used for current commercial 

and military aircraft and therefore are not neceaaarily applicable 

to the Shuttle Orhiter. However, items a) thru d) appear to be . 

applicable to the Orbiter while e) and f) may not be applicable 

■ due to these greater tine criticality of the Orbiter functions 

and the higher Orbiter performance requirements. This section of 

the report discusses only the key findings from' the survey of 
. > >■ 

existing computer systems* For additioniel inf oriBatioTi on 
’individual ccraputer eysteme refer to Appendices II through XVIII#^ 
5*2 Aircraft Gomputer System Overview 

An overvieVf of key parameters of existing systems is given 
in Table ly* Included in the overview are parameters that are of 
interest in the generic design flaw inWstigation* These .psra- 
meters include failure cues provided to the pilots, criteria used 
to deactivate failed computers, methods, used for ayetem reconfig- 
uration, and the "state" assumed by a failed computer.' 

• large commercial and military aircraft investigated (DC-10, 

L-1011 and B-1) use four computational strings. The four computers 
are grouped into two pairs to fora a dual-dual computational 
system. "This is done to keep one group of two computers physi- 
cally and electrically isolated froa the other group. That is, 
the cemputer one output is compared with the computer two output 


- 19 - 



.TABLE IV - CaiPUTER S\«TCniNG APPROACHES 


TYPE OF 

; FAILURE 

CRITERIA TO 

COMRJTER 

i CUES TO 

DEACTIVATE 

SYSTE2>I 

PILOT 

FAILED 
( COI-fPllTER 



DC-10 


2 BY 2 
COMPUTER 
COMPARISON 
PLUS PERFOR- 
MANCE AND 
FAILURE 
ASSESS14ENT 
MONITOR 
(PAPAld)l 


AMBER LIGHT- 
OJIS HALF 
SYSTEM 
FAILED. 

RED LIGHT — 
GOJ4PLETE 
SYSTEI'I 
FAILED. 


LlOU . 


2 BY 2 
C014PARIS0N 
OP ANALOG 
STRINGS 
'PLUS- VOTERS 
FOR signal • 
i SELECT. 
VOTERS 
SELECT ONE 
signal TO 
DRIVE 
VEHICLE . 


BAT" mNDLESlNON 
, DROP IF j COMPARE 

FEEDBACK |OF CHANNELS 
FROM SERV0S|& INVALID 


FAILED 
COMPUTER - 
CONTINUES TO 
OPERATE 


NON COI'IPARE 
OF STRINGS- 
PAFAM 
INDICATES 
FAILURE. 


INVALID, 
"NO DUAL" 
OR "DUAL 
AUTOLAND 
NOT AVAIL- 
ABLE'‘ 
DISPLAY. 


SERVO 

FEEDBACK. 


iAUTOI4ATI- 
CALLY GOES 
Tl'/O STRING^ 
•PAFAI'-I PRE- 
VENTS AUTO- 
LAND 

DISCONNECT 
IN SOME 
CASES, 
-PAFAIi 
f NOTIFIES 
CREl^ OP 
FAILED COND. 


AUTOMATIC lYES 
DISC01«iECTI0]| 
SVJITCH OUPUT 
OF AFC TO 
GROUND POINT, 
CREV/ NORIMLL: 
ONLY 

MONITORS. 



2 BY 2 
COMPARISON 
OF analog • 
STRINGS. 



IN AUTO- 
LAND MODE; 
V/ITH SINGLE 
FAILURE 
PILOT GOES 
IttNUAL OR 
ABORTS 
LANDING; 


AUTOMATIC 
DISCONNECT- 
ION, PILOT 
CAII RECONN- 
ECT STRING 
IF FAILURE 
INDICATION 
FOLLOVffiD BY 
GOOD IN- 
DICATION. 



ORIGINAB'mB IS 
OF POOR QUALM 


- 20 - 









TABLE iv~ CCXOTTER SWITCHING APPROACHES (COMPLETED) 


TYPE OF 
COMPUTER 
SYSTE34 . 



SIlffLEX 

AUTOLAND 

AUTOPILOT 

COUPLER 

(SPN-/j2). 


SIl-lPLEX C014-^ 
PUTER VIITH 
TVJO DATA 
USES (NOT 
N SAFETY OP 
?33GHT LOOP). 


'F^ FLY BY 
• VffiRE. NO 

'automatic 

FLIGHT . ; 

MODES OR 
COl^PUTERS 








PANEL LIGHTS! FAILURES 


AUTOMATIC 


INSTRUMENT 


SINGLE 

.COMPUTER 

IIETH 

DUPLEX 

&L 

TMR 

CIRCUITRY 


BIDICATE 

failed 
ELECTRONICS 
AND FAILED 
ACTUATORS 
IN EACH axis' 
AND EACH j 
STRING. 


PILOTS 
RECEIVE' 
ATTITUDE 
0F‘ BOOSTER. 


DETECTED BY 

coi^parators 

DEACTIVATE 

ELECTRONICS 

AND/OR 

actuators; 


YES^ FAILED 
ELECTRONICS ' 
OUTPUT. . . 
-is SHUNTED 
TO'IGROUND. 



ONLY INPUTS I MAN MOT - jiYES, HOVffi 
TO THE Tm* INVOLVED,. - FAILED IN 
lOGIC THAT COMPUTER - TO THE TM 
DO NOT ' • TRYS TO' LOGIC ARE 

COMPARE ARE REBJITIALlZE. MOT USED. 
NOT USED, ■ 


bfES, HOVffiVER 
FAILED INPUTS 
TO THE TMR 
LOGIC ARE 














and the coaputer three output ie compered with the computer four 
output. There are no* or few connections between groups of 
strings. Computers one and two fora a group, and computers 
three and four form another group. *- 

The DC-10 equalizes, or makes equal, the sensor signals 
feeding each group of computers. This is accomplished in a 
manner necessary to cancel long term variations. but detect short 
‘term variations between the channels in a group. These short- 
term variations are more indicative of failures. Similarly the 
computational difference between the- two channels under comparison 
are subtracted out (cancelled) so that the comparators will only 
.sense true failures. . . 

'The PAPAM used on the DO-10 was not used in the other aircraft 
systems. The- FAFAM provides supervisory control of autolend disconnect 
functions and includes a fast time model for predicting the air- 
craft touchdown point. The PAFAl^ has been found useful but not 
mandatory for autoland. 

On the DO-10 program, it has been indicated that two typos 
of system degradations must be designed for: equipment mal- 

'■“functions and input source errors. Input source errors include 
wind sheers and erroneous landing system information. The PAFAK. 
was used to detect these input source errors and to provide pre- 
dicted ground landing system data during short drop outs or losses 
of ground landing system information. 


22 - 



All of the large operational military and ccmmsrcial aircraft 

C 

use a fly-by-cable backup eystem for flight control* The F- 6 C 
test aircraft was the first ( 1972 ) aircraft to fly with a fly-by- 
vire system with no mechanicel backup system 'for failure 
reversion. . This was on a test system only. The new YF-I6 is 
believed to be the first fighter v/ith no mechanical cable backup 
system in its planned operational configuration. In all cases it 
was found that a failed computer was allowed to continue to 
operate after it was switched off line. In the event the failure 
"is rectified the ccaiputer could then be used again. 

Numerous’ methods of reconfiguring computer systems were * 
noted. The switching of a computer off line v?as‘ accomplished 

,, automatically, manually and sometimes 'a combination of automatic 

\ 

and manual techniques were used. Seme of the methods of recon- 
figurations found are defined in Table IV. '' 

The ’fighter aircraft computer systems were generally not 

i 

applicable to the Orbiter because often simplex dedicated 
computational strings are used for each group of functions. In 
the F-I5 the simplex computation string, performing non safety 
of flight computations, can however be pressed into service to 
perform navigation computations If required as a backup measure. 


-23 



Spacecraft Coaputer System Overview 

The Saturn Y Instrumentation Unit did not include any means 
for the crew to manually reconfigure the Instrumentation Unit 
computer system due to lack of redundancy and time criticality 
of the booster functions. 

A primary example of hoK functional redundancy has been 
used on spacecraft programs is the uae of the Lunar Module (Dl) 
guidance syatem to safely bring the combined Command Service 
Module (C3K) and. LK back to Serth after a failure in the Apollo C3M» 
Ground Computer Syatem Overview- 

Review of the ground computer systema indicated that these 
aystems were not applicable to the Shuttle application. This ia 

because most of these systems used dedicated strings and manual 

% 

break-bef ore-make switching. It baa been found that the typical 

failure is a cemputer malfunction that manifeata itself iA large 
' - - ^ 
errors such “that the operator can detect the errors and effect a 

I 

manual switch over to a backup computer. The break-before-make • 
switchover doss not allow for generic failures per the definition 
used in this report. The ground computer systems reviewed 
included the NASA JSC mission control center (RTCC and CCATS) 
computers, the NASA GSC remote site automated aystems, and the 
KSC Saturn Launch Vehicle (PADJ9) automated systems. See 
Appendices II through XVIII for further definition of the 
computer systems investigated. 


|0RIG3NAIi-PAGB IS 
lOF POOR 

- 24 - 



A.O Recorsaendations 

It is recommended that no further studies of the existing 
aircraft, spacecraft, and ground systoma be undertaken unless 
they are of a very specific nature to investigate individual 
items for which information is required. It is felt that the 
review of existing systems has provided some general computer 
system design philosophies and general guidelines which are 
applicsble to the Shuttle Orbiter and which have, been enumerated 
in' this report. However, it has also been found that most systems 
implementations reviewed can only provide a limited amount of 
applicable information due to their dissimilarity to be Shuttle 
Orbiter. 

It is also recommended that ’the emphasis now be directed 
towards the Shuttle to relate the applicable aircraft philosophies, . 
to study apnlicable equalization approaches and to investigate 

individual potential generic failure problems of the Orbiter. 

1 ’ * * 

It is further recommended that design groups be made aware 

of their responsibility to stamp out generic feilure mechanisms 
by checking their designs for possible generic failure modes 
and by eliminating any failure mechanisms found. However, it must 
be recognized that this effort can only be directed from a system 
design team having cognizance of the Shuttle systems as well as 
the generic failure' mechanisms. 


“ 25 - 



It is also recoramendsd that efforts to assess the sus- 
ceptibility of the Orbiter to electroraagTstic and electrostatic 
energy be continued and increased in order to solve the apparent 
generic design failure aodes due to these energy sources. None 
of the existing aircraft electrostatic dischargers, either 
active or passive are likely to meet the Orbiter requireaents as 
they are designed. Therefore, new or modified designs are 
recommended. 


“ 26 - 



5«0 Conclusions 


It is felt that this Investigation bee been of value and 

that it vill provide background material necessary to identify,' 

define and solve unique Orbiter generic design problems. 

In many areas much additional vork remains. For example: 

t» The potential for Shuttle Orbiter generic design 

failures due to electromagnetic or electrostatic 

. energy vas proven. However, the unique transfer 

functions for the coupling of this energy into the 

Orbiter circuit components and the susceptibility 

of these components were not determined.. * 

e The' design features and philosophy of some existing 

computer systems have been determined. How these 

philosophies need to'be directed toward the Shuttle, 

80 that they can be used vfhere appropriate. 

■ ■ ■ \ 

o The susceptibility of interfacing parallel redundant 
strings of electronics and. computer programs to . f 
generic failures have been identified. Detailed 
effort is now required to analyze, all interfaces of 
parallel redundant strings including interfaces for 
signal equalization, voting, and comparisons. Effects 
of synchronization, voting, isolation, disconnect method, 
signal bias, time delays, asynchronous operation, and 
inadvertent errors/failures must be evaluated. 

® Programming rules and tests to minimize or eliminate 
programming overeighta need to be defined and imclsmcnted 



Qy ■pOOR 


- 27 - 



REFSR5NCES 


1. Deets, Dv’ain ''Design, and Devslopment Experience with 

Digital Fly~By-Vire Control Systems in an P-8C 
Airplane", included in the NASA Conference Report 
titled. Advanced Control Technology an-1 its Fotentisl 
for Future Transport Aircraft, July 9-10-H, 197^» 

Los Angeles, Calif. 

2. Lock, William P. and William R. Petersen, "Mechanization 

of and Experience wdth a Triplex Ply-By-Wire Backup 
Control System",, included in the NASA Conference 
Report titled. Advanced Control Technology and its 
- Potentisl for Future Transport Aircraft, July 

9-10-11, 197^ » 1*08 Angeles, Calif. ' , 

5 . Hooker, David S., "Survivahle Flight Control System", 

Interim Report No. 1 Studies, Analyses and Approach, 
AFFDL~TR-71-20, May 1971 « 

Lockheed Electronics Company, Inc., "Applicability of_ 

SwJA and C-pA Data Management Systems to Phase B 
Space Shuttle Requirements", LSC 26-^59-Hl» 

January 1972. 

• IBM, "TAGS Redundancy Management", Final Report, 

72 -L 56 - 68 , 29 December 1972. 

6. Anderson, C. A., "Development of an Active Fly -By-Wire 

Plight Control System", included in the NASA 
Conference Report titled. Advanced Control Technology’ 
and its Potential for Future Transport Aircraft, 

July 9-10-11, 197^» Los Angeles, Calif. 

7 . NASA, Saturn V Plight Manual SA 509 , KSFC-MAN-509, 

15 August 1969 t changed 1 January 1971 » 




-28 



APPSNDICIES 


Appendicies I through XVIII follow. Appendix 1 includes more 
detailed information on electrostatic interference and 
Appendicies II through XVIII include additional and more 
detailed information on individual computer systems investigated. 



APPENDIX I 


- 30 - 



BLSCTROSTATIC INT2KFSRS?JCE 


1»0 Avlontc P.esponBes to Precipitation Ststic Snvironaen’ts 

1.1 RP Interference 

Radio frequency interference due to static charge has been 
encountered since the first flights of early aircraft in bad 
veather. Precipitation static (P-static) is v;ell understood today 
and has become the subject of specifications that control both the 
charging of the source and the susceptibility of radio equipment, 
nevertheless, P~static control remains an active discipline as 
the evolution toward more complex, mors sensitive avionics 
systems continue to uncover new moles of interference. Phase-- 

lock systems, FM systems, radio-guidance systems, and navigation 

♦ 

aids are all affected by static electrification discharges 
through different interference modes. Much recent attention has 
been directed toward quantifying the acceptable interference 
level in terms more appropriate for systems than the simple 
signal power/noise parameter. Expressions for the bit rate 
error and the probability of a loss of phase lock, and techniques 
to reject unreasonable data have been developed. 

1.2 Logic Errors ; . 

Logic errors caused by a single discharge of static 
electricity have been encountered when using computers for 
guidance, navigation, and sequencing and in logic based programs 
for telemetry and data acquisition systems. This type of 


DlUCrlNAIJ PAGE IS ~ 

'O'^JOOU .QDAlZTYi 


31 ~ ■ 



interference is quite a different astter than RF interference 
discussed previously. Airborne computers, widely used for guidance 
and coacands, are extreaely susceptible to a single discharge of 
very low-energy atatic electricity. 

During early Kinuteroan test flights, single electrostatic 
discharges caused bit errors in the guidance computer, resulting 
in the loss of two missiles dueHo premature flight termination. 

Single discharges of static alao occurred on two separate 
Titan III flights in the late 1960s. In the first flight, a. 
computer instruction was altered and the computer jumped into a 
backup flight, mode. There were ten other modes it could have 
.entered, any of which would have terminated .the flight. On. the 
next flight, steeri.ng data were altered and the missile turned 
off pathj the guidance error introduced by the electrical dis- 
charge was eventually corrected. During an extensive grcT^nd test 
program that ensued, it was discovered that a spark energy 'as low 
as 5^5 ergs (O.OOOO 565 joule) was sufficient to upset the computer. 
For comparison, an operating room is considered ether-safe at 
Ao,000 ergs, and safe for the most sensitive anesthetics at 
A, 000 ergs. '• 

Other. computers of quite different and more advanced design 
W’ere tested during a subsequent program. Despite the fact that 
these designs included isolators and filters on input-output 
lines, it was still found that some circuits were susceptible to 


OF. POOBi 


- 32 - 



as little as a few thousand ergs in a single spark. In one case, 
there was a period of 18? microeeconds during certain logic 
operations in which the susceptibility v?as an order-of-aagnitude 
acre severe than, at other times. -- 

A similar situation has been encountered with data multi- 
plexing systems. In one particular case, one of the wires. was 
found susceptible to a few hundred ergs in discharge, and to an 
energy as low as 1 millivolt at a 100 kc rate. This vdre was the 
midpoint connection between a balanced bipolar power supply and - 
the differential (operational) amplifiers used to emplify all 
samples of date. 

Finally, a very simple operational amplifier, used 'in an 

ordinance circuit monitor to ensure that there are no stray 

-.1 

\ 

signals, has been found to be susceptible to a single static 
electricity discharge of 1 x IC^ ergs applied in the positive 
sense, but susceptible to as little* energy as ^00 ergs applied 
identically, except in the negative sense. 

2.0 Effects of a Static Snyironment on yon-AvlonicB 
; In’ addition to the interference with electronics the 
electrification of the Orbiter may pose a significant threat to 
the integrity of the RSI itself as v?ell as a safety hazard to 
both ground and orbital operations. On conventicnsl large air- 
craft, dielectric surfaces no larger than a windshield or canopy 
have proven very troublesome because of charge buildup. The 


“ 33 - 



charge of^en builds ug until large sparks are generated to the 

•surrounding nstallic structure; or when netalllc heelers sre. 

•{' 

laminated into the windshield, sparks have punctured the outer 
laminates and attached to the heater circuit, often damaging both 
the windshield and heater circuit in the process. Charge can be 
stored long enough for serious electrical shocks to be experienced 
when ground personnel contact the windshield after landing. 
Obviously, these problems will .be magnified greatly when eseenti~ 
ally the entire exterior surface of the vehicle is non-conducting. 

It is interesting to note that studies on the electrification 
of Titan and Apollo rockets have shov/n that the vehicle may be 
charged to several hundred kilovolts by engine* exhaust charging 
once the exhaust plume breaks contact with the ground. Very ' 
little precipitation charging of these metal-akinned rockets was 
experienced at higher al'titudes because the conductive exhaust 
bled the charge off the ve’nicle as fast as it accrued. This is 
unlike aircraft where the excaust is not as conductive. It should 
also be noted that the po.larity of static electrification is not 
usually predictable. It is, therefore, entirely possible that 
■engine exhaust charging could raise the potential of the metal 
Orbiter substructure to a high value of one polarity, while an 
opposite precipitation charge develops on the RSI surfaces. The 
charges could not cancel, as they have been seen to do on conven- 
tional rockets, resulting in an additional potential difference 


- 34 - 



between the exterior surface and the metal substructure. 

Under these conditions the voltage differential can quickly 
become great enough to flash across the tile surface and dis- 
charge to the vehicle substructure via the gap joints. With the 
massive amount of dielectric ESI surface, charge accumulation may 
be rapid enough (vath no bleed-off path) to result in a nearly 
continuous arc* streaming* a-cross* and through the tiles. 

-I « 

Multiple pits and cracks in the RSI and its surface coatinga are 
likely consequences of such an energetic sparking activity • . 

5*0 Electrostatic Noise Spectrum and Msgnitudes 
■■ - Both flight test end laboratory measurements of the precipi- 
tation static energy distributions have been made by a niAmbsr of 
researchers in this field. Figure. 2 shoves the generated noise 

strength from laboratory simulated trioelectric charging of 

\ 

various dielectric materiale in the one to four GHz frequency 
spectrum. The levels sre high enough to suggest consideration 
be given to obtaining similar data for th*e Shuttle Thermal 
Protection System (TPS) materials, in view of a possible degrading 
Influence upon TACAW, Pisdar Altimeter, and MS5LS performance 
during the landing phase. Figure 5 ehov;s the noise current 
spectral density at lower frequencies as a function of altitude. 
Here it is significant to note a five fold buildup in noise at 
1 l^Hz (Shuttle Dsta Bus Frequency) from sea level to 5^,000 feet. 


- 35 - 








HBLATIVB NOISE - CUEEENT .SPECTRAL DENSITY 


100 



FIGURE 3 NORI'IALIZED NOISE SPECIEUM FROH AIRCRAFT TRAILING EDGE 


- 37 - 



5«1 Preiininary Shuttle TPS Electrification Prognosis 

. During early experiments at the ^D0 Lightning Simulation 
Lah on the electrification characteristics of LII 5 OO LSI tiles, wind 
blown dust pai tides created a charging rate many times higher 
than that exhibited by conventional aircraft materials. This may 
have been due to the rough surface texture of the tiles. Prelimi- 
nary data indicated the Shuttle vdll charge at eight times the 
rate of dn exposed all metallic skinned airplane. 

. . Separate measurements were made of surface and volume 

resistivity of the sample LII 500 tiles on hand. These data 
indicated much higher values than had been expected; in fact so 
high as to he unmsaaureable (> 10 l 2 ohms) by s ^00 volt megohm- 
meter. This result; combined with the high charge rates observed, 
suggests a potentially severe P-static problem to both the TPS 
and avionics systems even under nominal entry conditions. 

To get a grasp of the magnitude • of static discharge energy 
which could result from an Orbiter covered with LII 5 OO (or LI 9 CO) 
•flying through typical ice crystal cloud formations, the 
following elementary analysis is offered: 

I 

* Consider one tile of ESI, 6 inches sq^uare (surface area of 
T face *= .0230m^. Since most P-static charging will be 'in ■ 

. Orbiter frontal areas where heat and therefore tiie thickness is 
greater, assume a tile thickness of 5*5 inches or .Opm including 
the felt Strain Isolation Fad (SIP). From high voltage punch 


- 38 “ 



through teats conducted on LII5OO KSI," assume lOO'kv/inch 
required to punch through the thickness of the tile (about the 
same as for air). Flashover around the surface is another 
possibility and msy likely occur at much lower voltages. The 
flashover voltage is very difficult to predict but it will be a 
function of tile coating, humidity, pressure and contamination. 
For calculation purposes, assume 100 kv aa the lower limiting 
voltage for flashover. vs 55^ lev as the upper limit via punch 
through. The charge stored on the surface of the tiles vdll be 
calculated for both cases. 

First, the capacitance of the tile is 0 == 5 A « Assume 

d 

E » Sq “ 8*65 X 10“^^ joules/nevton-a^, 

0 = 8.85 X lO"!-^ X 0.02? ~ 2,.-26 x 10“^^ farads 

■ .•09, 

aince d = CV, 

■the- charge-’ for flashover, Qf = (2.26 x 10‘*^^)(lo5) zt 
2.26 X 10**^ coulombs. * ' ' . 

the charge for punch through, Q? - (2.26 x 10-^^)(5.5 x 
10^) ~ 7»9 X 10~^ coulombs. 

The energy of one spark diset^rge from a capacitance of 2.26 x 
.10“^^ farads can also be calculated: 

E^ = J, CV^ = (2.26 X 10~^2)(lo5)2 = i.ix X 10“2 joules 
2 2 

Ej^ = 115,000 ergs 

eimilsrly Ep ~ 1.J8 x 10^ ergs 


- 39 - 



These calculstions- indicate eperk energies of hundreds of 
thousands -of erge are possible. From Paragraph 1.2 it has been 

i 

shown that a spark energy as low as 5^5 ergs is sufficient to 
upset a computer logic in an actual spacecraft installation. 

Assuming a charging rate of AO^/amps/scuare foot as measured on 
conventional aircraft in flight, one tile would see a charge rate 
of 10 amps (10“5 coulomb8/8econd)reeulting in A^.2 flashover 
discharges of 11^,000 ergs per second per tile, or 12.7 punch 
through discharges of x 10^ ergs per second per tile. 

* Although the number of tiles representing the electrical equiva 
lent of the Crbiter frontal area has not been calculated, it is 
reasonable and conservative to estimate lOOQ tiles (2p0 sq. feet). 
Thus : . 

■o Total flashovers = M, 200/second at 115,000 ergs, 
o Total punch-throughs = 12,700/second at 1-5 x 10^ ergs, 
o Equipment susceptibilities observed: one spark at .pfp ergs. 




- 40 - 



APPSUDIX II 


- 41 - 



• • DO-10 CCf>IPUTER SYSTEM 

m 

The DC-10 vises four analog computer systems for flight 

♦ 5 

control. The computer architecture is depicted in Figures k 
through 6. This system is, however, backed up by' a mechanical 
cable flight control system. The four computers are grouped into 
two pairs to form a dual-dual computational system. That is, 
computer lA outputs, of Figures h or compared, with computer IB 

outputs and computer 2A outputs ere compared with computer 2B 
outputs. There are no cross comparison, between computers lA/lB 
and 2A/2B. Comparisons are made four times in the computation&l 
path on actual cccmends. Sensor signal differences, for example* 
to computers lA and IB are subtracted out (equalized or cancelled) 
since the detection of short period variations between channels 
is of interest, "•'•hese short period variations, rather than long 
term variations, between tbs ccmputatioral channels are indicative 
of channel failure. Similsrly, the computational difference 
between the two channels under comparison are subtracted out 
(cancelled out) so that the comparators will only sense true 
failures . 

blien a non compare is indicated betv-'een two compu- 
tational channels both channels are sw'itched out of the 
system because it cannot be determined which channel 
has failed. However, in seme DO-10’ s a PAFAM unit is used 
in addition to the feur computational strings. In this 


“ 42 - 



DUAL 

. YAW rate 



FIGUKE 4 ~ TYPICAL DC-IO-FOUR. CHAI^NEL SYSTEM 


tolWAK PAGE'IS 
POOB quality; 


43 - 













CRUISE INBOARD 



figure' 5 - DC-10 S114PUFIED AUTOMATIC HLQT BLOCK DIAGRAM 


marnm mge is 
























e , ' 


AUTOMATIC * 1 

1 

} TKROmE/snEt) 1 


1 COHinOL COMPUTER | 

■■l 

‘ 



i 


E 


Am data COMPUIEfl 


n. 


KAVICMIOM nzciwtR 




r LIGHT CUtOANC£ . 
CONinOL PAfJ£L 


C 


VEMICAL GVnO OH IHS 


c 




NAVIGAiron HECeiVEA 


Ain OAT A COMPUT E R [ ^ 

i 


RADIO ALTlMCTER 


> AUTOVAirC 
lilftOT7L£/5PEEO 
COUinOL COMPUTER 


COUT 


EQUALIZATION 



1>JPUTS ncyr UTIU2EO DUniKO * 

AuIOK'ATiC ArpnoACM A«0 
LAHOtNO MOOCS 


eOUALiZATION 


\ 

FIGURE 6 - DC-10 AUTOl-EATIC FIIGHT CONTROL SYSTEM 


^ POOR ^qualhy 


“ 45 - 


EOUAUZATION UVOT'5 




















case' the FAFAM cen be ueed to detercine v/hich of the two etringe 
has feiled so that the good string can- rec-ain active. The PAFA24 
unit will prevent autoland systenis disconnection if it observes 
_no hardover failures and if it observes no perforcsnce degradation. 
This is true even if the comparators fcr the computeticnal strings 
-indicate a "non compare" or failed condition. 

~ The PAFAM unit provides-dissiaiilar functional redtodaticy to 
“^he flight control syatefe.’ ' The unit is digital and ie ICX) percent 
„Belf ..Honitcred and" includes a w atch dog timer^ ^ sample check, -and 
“check "of~ p'r cpe r register transfer,. -The unit 'is designed to meet 
FAA criteria -of less than or equal to one false indication in 
109 •indications. ' . ■ 

The PAFAM provides supervisory control of eutolan-d disconnect 
functions, as noted previously. It includes a fast time model for 
prediction cf the aircraft touchdown point. This predicted 
touchdown point is displayed to the- crew'. "Takeover" and other 
advisory comaanda are displayed to crew’ when a failure ie detected 
by the PAFAM. The PAFAM notifies the crewr of a failed condition 
and allows ccBputer sv/itching but doesn’t accomplish switbhing 
by itself. The PAFAM also acts aa a third entry for verification 
of failed computation strings. When two atringa fail due to a . 
non compare the PAFAM restores one ccmputaticnal s'tring* 
to use— the good one. 


- 46 - 



The DO-10 prcgratc has indicated that two types of ey.steci 
degradations must be designed forJ equipment malfunctions and 
input source errors. Input source errors include v;ind sheers and 
erroneous landing system beaice. With input signal source errors 
the comparators for the redundant computational path v;ill indicate 
a cciapsre condition but the vehicle may not be going to land on 
the rum,ay« The PAFAM unit uses the fast time model to detect 
input source errors and to predict the touchdovsa point. 

The PAPAi! receives all inputs received by the other 
computational strings plus it usee other eenaors such as 
accelerometers to accompliah its supervisory functions. 

The PAFAM has been found useful but not mandatory for auto- 
land. During development the PAFAM confirmed non-optimum control 
lat;e and assisted by indicating when manual takeover was required. 
The PAFAM was included- in the initial system planning, because 
it was felt that something could be overlooked in automatic ' 
system design end at the time pilots had a low confidence level 
in autoland systems. 

The DO-10 has an analog flight control system because at 
the time of development all industry experience wa.s analog and 
there was a high confidence in the ability to control and 
suppress electrcaagnetic impulses in analog flight control 
systems. On the DC-10 program a trade was made betvi’een triplex 
and quad computational strings. Quad was- selected due to its 



- 47 - 



lower sensitivity to failures and because the quad’ approach 
matched plans for four control surfaces, and eensors in pairs. 


- 48 - 



APPENDIX III 


*- 49 - 



L-1011 COyj-UTSR SYSTEM 


The L-1011 uses four analog coaputer aystema for flight 

control. The conputer architecture io depicted in Figure 7* 

This eyatec is, however, backed up by a mechanical cable flight 

control system. The four computers are grouped into two pairs 

to form a dual-dual compute-tional system. Ccmparisons are made 

% 

between the strings of each dual set in both the ILS and automatic 

flight control syetec. The voters select the beat computer 

outputs. For example, one of two center signals are selected 

or the center signal is selected after one failure^ For the 

command rate and command position servoa the servo feedback to 

the servo amplifier must equal the servo amplifier command 

within -a given tolerance. A false condition indicates a failure. 

On this system two failures of a similar nature cause complete 

\ ’ 

and automatic disconnection of the autopilot. The pitch and 

■* \ 

roll channels are not dual-dual in the autoland mode* The yaw 
channel is always dual-dual. 



“50 




FIGURE 7 - L-1011 FLIGHT CONTROL SYSTEM 


- 51 - 












APPEJQIX IV 


- 52 - 



B-1 CCMPUTER SYSTEM 


The B*-l uaes four analog computational syateme for flight 
control. The computer architecture is depicted in Figure 8. This 
ayetea is, however, backed up by a mechanical cable flight 
control system. The four computers are grouped into two pairs 
to form a dual-dual computational system. Comparieons are made 
between the strings of each dual set in both the flight control 
electronics outputs and the actuators. Equalization of signals 
between two channels is accomplished at the actuators. 

The requirement for operation is fail operational, fail 

safe. The failure reversion modes used are four computational 

strings active to two strings active to mechanical cable control. 

The mechanical system can fly the vehicle safely. The reason 

% 

\ . “ • 
for functional redundancy— fly-by-wire and fly-by-cable is that 

\ 

this was a proven end safe design. The disconnection of the 
fly-by-wire system is both at the flight control output and. the 
actuators shown in Figure 8. Disconnection is accomplished at 
-the actuators if the system cannot compensate for differences in 
. channels within safe limits. 



- 53 - 



AcmioRs 



* SISHK DISCOJ.'NEGt PCSlTICtS . 


FIGURE ^ ~ B-1 FIIGHT CONTROL SYSTEM 


dbxgihau k 
^ITALTO 


54 










APPENDIX V 


- 55 “ 



DC-10 DIGITAL R&D CC^^?UTER SYSTEM 

This digital flight control system is a "dual, quad” system 

used for both flight control and eutoland. The system consists 

of two digital computers driving four analog systems. The 

digital computers have digital to analog output channels and 

analog to digital conversion on the input channels. Each 

digital computer drives two analog strings. The analog strings 

have an output comparison logic which removes two strings at a 

time if a "no-compare" situation occurs. One digital computer 

. *■ 

and two analog strings work together ae a dedicated system 
which' is not cross strapped with the other digital computer • 
and its two analog strings. 

'A single system consisting . of one digital computer and two 

analog strings was installed in parallel with one-half of the 

normal DC-10 analog system and flown successfully several times. 

* 

No DC-10 PAFAM system was used during these flights. 



- 56 - 



• APPENDIX YI 


- 57 - 



F-A CCI/PUTER SYSTEI-i 


The P-A autoland system uses a simplex eutolsnd autopilot 
coupler system. Autolend commands for the system ere generated 
hy the Sr-N-Ag radar tracking landing system which is located on 
aircraft carriers or on, the ground. Commands from the SPN-A2 are 
transmitted to the ?~A via ah ASW -25 data link system. In 
addition to this autocoupler system a secondary landing system 
is located on the P-A. This eecondery, SFN~Al (orC~SOAN), 
landing system is a microwave lending system that provides 
azimuth and elevation error information to the pilot 
similar ’to the conventions! ILS.‘ The SPH-Al is 
used by the pilots to ascertain that the SPN-A2 autocouplsr 
autoland system is functioning properly. The SPN-Al system is 
not an autoland system however, it provides a measure of 
functional redttndancy since the S?N~Al may - be used (weather per~ 
Bitting) to accomplish a manual landing if the SPN-A2 *autocouplsr 
system fails. The primary function of the S?!T-Al is to provide 
confidence to the pilots that the sutoland system (SP5I-A2 coupler) 
is performing an accurate automatic landing. 

Failure cues for the pilots are obtained in several ways. 
Failure sre deduced from the secondary SPId-Al system displays, 
from manual or wavecff commands generated at the shipborne or 
ground terminal and transmitted to the P~A via the data lin’K^ 


58 - 



and froa the caster caution and coupler off light. 

The criteria for deactivating the autoland coupler mode are 
no commands received on board via the data link for "X" eeconds, 
hardover control surfaces, and aircraft outside safe boundsries- 

eet by the ground. If any of these conditions are true the 

* ' \ 

autocoupler system will automatically disconnect, requiring 
manual takeover. Vhen the coupler and autopilot are disengaged 
from the autoland mode the systems are placed in the stability 
augmentation mode* 



- 59 -. 



APPENDIX VII 


- 60 - 



F-^0 COMPUTER SYSTEM.' 

0 

The F*-6c fly-hy-wire control system includes a digital 
primary system and an analog backup system • These systems were 
substituted for the -normal F-8C mechanical flight control system# 
The Apollo computer was used as the heart of the primary system# 
As shown in ‘Figure 9 a simplex digital primary systems 'and a 
triplex electrical analog backup system were used. -As shown 
there was an active and a monitor servo path. If -a failure 
occurred in either path a hydraulic comparator would sense the 
differential pressure between the active .and the monitor servo 
valve and transfer control to the backup control system. As long 
as the primary control system v:ss gene reting commands normally, 
the backup control system would track the active channel by way 
of the synchronization network. Only the hydraulic pressure 

was bypassed at the secondary actuator, so* that the backup 

• • 

syatenj wss ready to take over at any time. If a transfer to the 
backup eystea was requested, the bypass was rezoved and the 
synchronization netvfork vas disabled, resulting in immediate 
.proportional control from the pilot's stick* In' the backup mode, 
the active servo valve v/as blocked and the secondary actuator 
operated aa a force summer for the three backup channels. The 
digital computer continued to operate, computing the control laws 
which gave the best estimate of what the backup system commanded. 
If a transfer to the primary control system was attempted, the 


- 61 - 



-Single channel- 


piffiiai 


Analog 

Measurement 


lo 

unit 


digital 


;rn44 


S 

L ’ 


Atonltor 


Active 


Apollo computer 


J 


' 


✓ 


|>- Transducers 


“Dual channef- 


Digitdl 

to 

analog 


-DtgUal 

to 

analog 


Sync^ 


Stabjiization 

7Z" T- 


Stabilization 


Active - 


Bypass ‘ 



Monitor • 

Comparator 

— Secondary 
actuator 


Backup electronics 










:k Occurs ontyv/hile in priraary system 


Pmver 

. actuator -v 


FIGURE 9 -F-8G DIGITAL FLY-BX~\«RE SYSTEM 14ECHANIZATION 



62 - 








transient vas snail as long as the computer was tracking the 
backup system. If the error was excessive between the primary 
control system and the backup control system, a cross-channel 
comparator prevented transfer to the primary control system.^ 

Since the trim inputs, sensor position inpu^6, and electronic 
gains were not necessarily the same in each backup control 
system cbAnnel, equalization was included to reduce errors 
between channels. Slectronic end servo signals were monitored at 
two points within the backup control system. The channel voter 
output was compared with the channel voter inputs. If the 
difference was greater than the set threshold, the monitor was 
latched and the electronic chennel was reported failed. ^ 

Although built-in fault detection 'was extremely important . 

, ■ \ 

for both the primary and the backup systems, it was of particular 
importance in the primary aystsn. Because the primary system 
was full authority as well as single channel, its responses 
could have beeen hazardous if failures were not handled properly. 
Therefore, it had to be established that no digital computer 
aystem hardware failure would cause a hardover or otherwise 
’hazardous signal. Figure 10 shovrs the type of digital system 
failure detection used. The Apollo computer had extensive and 
proven fault detection and reporting system which waa built 
into the computer (item 1 in figure 10). This system, modified 
slightly for application' to the P-80 airplane, was the most 


- 63 - 




FIGURE 10 ~ UIGITAI. SYSTEM FAILURE DEIECTIOH AND REPORTING SYSTEM 









- 64 - 






eignificant. porvion' of ths failure detection systea. Soa© of 
the^types of failures' detected were;^ 

Logic circuits - 
Parity failed 

Prograa entered loop and did not exit 
Program attempted to access unused read-only memory 
Program failed to check in occasionally 
Analog circuits - 

Voltage v;ent out of limits 
. Oscillator failed 
Timing pulse generator failed 

Each of these failures caused a restart, that is, a hardware- 
forced transfer out of control law. program to a software routine 
which performed several clearing and initialization steps in 
attempt to correct the cause of the restart before allowing 
control law computations to continue. For some restart conditions, 
a signal was issued' which caused a transfer to the backup 
control system. 

The Apollo computer also monitored the performance of the 
-inertial measurement unit (item 2, Figure 10). Vfritten into the 
software were decisions either to transfer the system to the 
backup control system for serious failures or to select the 
direct mode -in the primary system for situations such as an 
inertial measurement unit accelerometer failure, which would 


- 65 - 



affect only certsin auguaiented laodea.- 

Analyeis of primary syatem failures showed the need for 
additional hardware failure detection circuitry (item 5, Figure 
lO), The failure of certain channel out bit a not monitored by . 
the Apollo computer, in ccmbinetion with norasl pilot reactions 
could have led to hazardous situations. These conditions first 
became apparent in piloted, closed-loop simulations using the 
iron bird simulator. The necessary hardware modifications v;ere 
made and imnleoented in the system to circumvent these failure 
conditions or to cause a transfer to the backup control system 
when prevention was not possible. 

Built-in test equipment for the backup . system and primary 
electronics vss provided. This self-test eo.uipment could be 
activated only during prsf light tests. 

Another type of logic function was the software 
■ reasonability test which was applied to each surface command 
before it was sent to the digital-to-analog converter. If the 
new command differed from the previous command by more than a ■ 
•predetermined amount, the affected axis would have transferred 

. ; • r ’ 

to the direct mode. This down mode philosophy was based on the ■ 
assumption that a reasonability limit would be exceeded because 
'of generic failures in the augmentation control laws rather than 
because of a hardware failure which would have affected the 
direct mode as well. It wee assumed that a hardware failure 


PAGE IS 
-p® POOR QUALITY 


- 66 - 



vouldhsve bbsn detected by the built-in Apollo computer fault 
detection logic. 

. Freflight testing was accomplished by an automatic self-test 

procedure that provided a pseudo end-to-end testing of the system* 

The self-test involved the introduction of a logic controlled 

stimulus and the disabling of circuit functionsi and it used 

in-flight monitors to indicate the response* The uee of the in- 

fHght monitors as the eelf-teet feedback elements served to 

check the channel signal paths and the operation of the in-flight 

monitors* This resulted in a "bang-bang” type of test with no 

indication of system degradation* 

The F-80 fly-by-wire system experience -v:ith two dissimilar 

systems provides information applicable- tc future systems which 

are likely to have dissimilar redundancy. Most of the problems 

were concerned with the syncronization of the two systems. The 

goal for transfers from one system to another was to minimize 

transients caused by the transfer. In each instance, the system 

in control was tracked by the other system so that transients 

.‘would be minimized. However, the primary system tracked the 

1 

•backup' system by estimating the surface command of the backup 
system based on the pilot's control commands and trim inputs 
only* In transfers from the primary system to the backup system,, 
the backup system tracked the output, of the primary system* 
Although this eliminated .the need to reconstruct the primary 



syatenj signal propagation in the backup aystem, it -did open the 

possibility for unusual initialization conditions v;hen the 

transfer occurred during an abrupt aaneuver* Another factor 

was that a transfer from the primary system to the backup system 

could have been 'initiated automatically as a result of a failure, 

thus the failure analysis hed to consider all possible failures 

that could have resulted in a transfer4 The timing of this 

. » 

transfer was critical in some instances when it could have 
coupled with the pilot’s normal response to cause unacceptable' 
conditions. 

l^any of the non compare conditions occurring in the 
secondary actuator differential pressure networks were caused by 
tracking errors between differential pressure signals, which 
caused the comparators to trip. The problems were caused by 
component tolerances and -valve nulls and were p red ictable\f or 
certain c.cntrol stick locations. 

* , I 

No digital system failures were experienced during flight; 

however, some flights were made using the backup mcde in order 

.to e-valuste the backup. It is planned to continue the P-80 

fly-by-wire program (phase II) using a fully redundant triplex 

system to verify concepts of concerns to the Space Shuttle Orbiter. 

Verification of redundancy management eoftvare for digital 

processing and sensor fault detection, and reduced generic 

feil'ure probabilities should' result due to thia simulation. 






- 68 - 



A dissicilar backup syetezu will aleo be used.' The first P-8(? 
fly-by-wire flights were made in. 1972 with additional flights 
in Phase II planned for 1975 through 1977* 


|PgrGMM;.PAGE IS 

rfiOOOB ^uALmr. 


- 69 - 



APPS]©IX VIII 



P-15 CCMFUTSR SYSTEM 


The P-I 5 uses a sicplex computer with two data buses for 
those fimctions not in the safety of flight loop. In addition a 
eeparate digital differential analyzer (DDA) is used with an 
inertial platform for navigation. In caee of a failure of the 
DDA the simplex computer serves as a backup to the DDA. In this 
aystem the pilot makes the decision to deactivate a failed 
computer. A panel light alerts the crev! of a failed condition. 
Deactivation of the failed computer refers to disconnection of 
the failed unit since the failed unit continues to operate. 





APPBIDIX IX 


- 72 - 



— -F-4 PLY-BY-V/IRE SYSTE3ij5 . 

The F-A fly-by-wire system as previously tested has no 
.sutcxaeted flight modes and therefore was not investigated • 
extensively for this report. However, this system uses q^uad 
redundant electrcnica channels from the control stick to the 
control surfaces and uses elaborate failure detection and 
reporting circuitry. The panel display lights indicate both the 
failed electronics and failed actuators in each axis and each 
electronic string. These lights are driven from the comparator 
outputs. Failed electronics and failed actuators can be inde- 
pendently deactivated. Deactivation is accomplished automatically 
upon indication' of a non compare condition. The comparator 
echeae used is similar to th^t described in Appendix XV, 

Advanced Canputer System. 




- 73 - 



APFEKDIX X 



F-lA CC1-?UTER SYSTEJ< 


The F-*1A uses three special purpose digital coiaputers which 
operate in a sequential manner. Each computer is dedicated to 
selected mission phases which overlap during the switching 
period. One computer is used for the take-off, climh, descent, 

and landing. Another, the Central Air Data Computer (CADO), 

\ 

t 

is used for general flight. The third. Central Data Processor 
(CDP), is used for prime mission objectives such as target 
tracking and fire control. * • 

A manual fly-by-cable backup mode is provided. This mode 
is achieved by manually overriding the electronic system. 

Kiesion phase switching is normally done automatically. .The 
computers 'are not redundant and do not serve as a backup to 
each other. 


- 75 - 



APPENDIX XI 


- 76 - 



F-lll COKFUTER SYSTEM 

The P-111 uees triple redundant electronics with middle 
value selection. A mechanical cable control system is available 
es a backup system. 




- 77 - 



APPENDIX XII 


- 78 - 



S-5A CavS'UTER SYSTSK 


The cross strapping arrangement used in the Univac 18J2 
■Computer System is shovm in Figure 11. This diagram indicates 
the extensive crosa strapping between modules to prevent a 
single failure in a string from making a serial interface 
aection inoperative. Also shown is the configuration for triple 
memory redundancy in -which each 'processor has independent 
access to all memory banlcs.^ 



- 79 - 



6R0HJ1H 



FIGURE 11 - S-3A DATA MAI^AGEMENT SUBSYSTEM 


- 80 - 


DEK3INM1 PAGE IS 

PE,POORPAURI 












APFEI®IX XIII 


- 81 - 



TAGS CCyPUTER- SYSTEM^ 

The Tactical Aircraft Guidance Systen: (TAGS) vaa designed 

V V 

to evaluate adTOnced flight control concepts, for the 0'A-h~[ 

helicopter. The system consisted of a triple redundant flight 

■ control system. A simplified block diagram for TAGS is shoKn 

in Figure 12. As shown the triplex sensors ere dedicated on a 

i 

channel basis .for data acquisition. The flight control actuator 
command selection circuits use middle value selection algorithms. 

The actuators are triplex and force-sharing through use of a mechanical 
force-summing bar. A more detailed system block diagram is 
shown in Figure I 5 . 

TAGS did experience a psychotic type failure. due to program- 
-■ ming oversights. The program as initially designed could not 
handle a second failure in a second computer before three 

computation cycles had elapsed since the first failure. This 

• \ 

t 

■' resulted in a complete shutdown of all three computer systems 
due to a single failure. Reversion to a mechanical backup 
-system was required to preclude loss of control. 



“ 82 - 





- 83 - 











FIGURE 13 - TAGS CONFIGURATION BLOCK’ DiAGRAtl 


PAGB is 

OF POOR H3UALIT5J 


84 - 




























YF-*16 CCJ.:FUT5R SYSTEM'.’ 

The YF-16 uses a quadruple redundant all fly-by^wire 
control system. The syatsm has four independent corcputationaT 
paths and uses a middle signal select algorithm j except after 
two failures a lower signal select algorithm is used. No 
fly-by-cahle system is retained in the YF-I 6 . After the middle 

V 

value is selected, the selected 'signal is quadrupled so that • 
four identical signals are available as outputs to the servo 
actuators. Three outputs of the computational string, e.g. 

A, B, and 0, as shown in Figure lA, are compared at one time. 

If one of these three strings, e.g. B’, varies a predetermined* 
amount from the other two, then string D is substituted 
instantaneously and automatically for B. 



Ketxcriii 



FIGURE 14 - IF-16 FUGHT COHTBOL SYSTEI'I 






APPE?TQIX XY 


“ 88 - 



ADYASCED CCMFUTSR ’SYSTSM 


An advanced flight control ay stem that was under 
investigation for advanced fighter aircraft by McDonnell Douglas 
is depicted in Figure 15» This figure shows how two cotcparison 
points can be used in a computstional and control electronic 
string* One at the output of the actuators so that complete 

I 

strings are being compared and one at the output of ccmputational 

circuits so that an actuator is not lost due to a computational 

fault. The voter (signal selector ) is- to 'be designed so that 

► 

a failed input is never selected as the output of the voter. 

The c'cmparatcrs at the .actuators measure pressure differential 

between actuator outputs in a manner such that the failed string 

can be detected. For example, if for comparator A. input lAl 

does not compare with 1A2 and for comparator B input IBl does 

not compare with 1B2 a failure in string ”one" is indicated. 

* 

The same type of ccmparstor arrangement would be used to detect 
• failures in string two, three and four. 

Four control strings are used so that fail operational, 

.fail operational, fail safe (FO/FO/FS) operation can be achieved 
using only four comparators. 

The voters can use standard selection algorithms such as 
select second from bottom value and middle value select. 


PAGE IS 
POOR QUALTIYi 

' 89 - 




iT0exi«3«4 


FIGURE 15 - ADVANCED STUDIES CANDIDATE SYSTEM USING QUAD COMPUTERS 









APPEKOIX XVI 


- 91 - 



shuttle: yjiiN emgi:-g oci.3>uter system 


The current, baseline consists of two digital eomputers 
residing in each nain engine controller. One controller is 
dedicated to each of the cain engines. 

The redundant digital computers, for each main engine are 
both acquiring and processing data in parallel j however, they 
serve in a master and backup capacity. The output of the backup 
computer is not in an active control mode but serves on a standby 
capacity. A failure in the master will cause an automatic 
switchover to the backup computer. A second failure will cause ' 
the engine to shut .down. ■ . . • 

Since the two computers operate independently, except 
during the switching perio-i, the implementation techniques do 
not appear to provide insight to the psychotic computer study 
problem area. ’ 




- 92 - 



/APPENDIX XYII 


- 93 - 



SATUrif V INSTRUMENTATION UNIT COI/EPUTER SISTEI-1^ 


The Saturn V Instrumentation Unit (lU) provides control to the 
•three Saturn Y booster stages. A single digital computer with 
duplex msmory and triple modular redundancy is used. This 
system has no criteria to deactivate a failed computer. The 
failed computer would continue to operate and try to reinitialize. 

i 

The crew is not involved in any manual reconfiguration 
procedures . 

The Launch Vehicle Digital Computer (LVDO) shewn in Figure 

l6 is a general purpose computer. The memory can he operated in 

either a simplex or duplex mode. In duplex operation memory 

modules are operated in pairs with the same data being stored 

'in each module. Readout errors in one module are’ corrected by 

using data from its mate to restore the defective location. In 

\ 

' simplex operation each module contains different data, which 

I 

doubles the capacity of the memory. However, simplex operation 
decreases the reliability of the L'VDO because the ability to 
correct readout errors is lost. . • 

Computer reliability is increased . within the logic sections 
by the use of triple modular redundancy. Within this redundancy 
scheme, three separate logic paths are voted upon to correct 
any errors which develop. 

The Launch Vehicle Data Adapter/Launch Vehicle Digital 
Computer (LVDA/LVDC) receives the complement of the LVJA/L'VDO 




- 94 - 



ATT!TUOE WICLES 


vaociTt 


|STABILI2£D 
; PLATfORH 


■*- 


IXTEGRATIJIG 
: ACCELEfiOKETERS 




lU COI«A,NO 

RECEIVER 

A 

DECODER 


IVOC 

lI3 


attitude co:itrol sichau 

FROM SPACECRAFT 


LVOA 


UP-OATIRG 


IHFORmTIOR 


ATTITUDE 


Jcorrectiom 

COKWIO 


COMtHOl ] 

COHTROL 

cor:J>uTEftj 

COfVtJ^ 

t 


COHTROL 

SEHSORS 



pla 

i rr 


5-IC STAGE 
IGIIIE ACTUATORS 


-o»— oH 


5-n STAGE 


> 




S-1V8 STAGE 1 



VAOm ACTUATORS I 

r 




S-IVB AUXILIARY 
PPOPULSIOH SYSTEri 

h 


TO 

EHGIHES 


TO H022LES 


a! CUT SEQUEHCE 


COKFtAHOS 


S-IC STAGE 
SHITOl SELECTOR 


S-n STAGE 
SWITCH SELECTOR 


hH 


S-IVO STAGE . 
SWITCH SELECTOR 


TO STAGE CIRCUITRY 


lU. 

SimCH SELECTOR 


FIGIffiE 16 -- INSTRinffiNT MIT NAYIGATIOK, 
GUIDANCE & CONTROL SYSTEM BLOCK DIAGRAJ-I 


iOMGINAI] PAGE IS 









comaand code after the flight sequence coGsttand (bits 1 through 

8) has been picked up by the input relays of the switch selectors* 

This is indicated in Figure 1?. The feedback (verification 

information) is returned to the LVDA, and compared with the 

original code in the LVDC. If the feedback agrees, the 

LVDO/LYDA sends a read command to the sv;itch selector. If the 

verification is not correct, a reset command is given (forced 

> 

reset), and the LVD0/LV3A reissues the 8*-bit command in 
complement form, on the 8 parallel lines indicated. 

The Saturn Y usee a parallel data bus system as indicated 
in Figure 17« 



96 - 




COriTBOL 
DISTR! BUTOR 


15-OlT SSntAL . 


fUCIir , , , 

co!wa»:d InEsnlnEAo! 


) TllKOUi;i! A 


n LltlES 
PARALLEt 


C-QIT SEfilAU 


digital Input 

numPLEXER 


1 niknurar h 


RpfuRfi 




FIGURE 17 - INSTRTRfflH? UNIT lAUlIGH- VEHICIE DIGITAL COMPUTER (LVDC) 
SWITCH SELECTOR BITERGONNECTION DIAGRAM * 


toGJHAii Page is 
»«?OOS g0ALnf 






APPENDIX XVIII 


- 98 - 



GROUIiO C0MFW2R SYSTEMS 


This appendix briefly defines the three ground computer 
systems investigated. These are the NASA JSC Mission Ccntrol. Center 
(KCC)# the NASA GSC remote site, ,and the NASA KSC Saturn Leunch 
Vehicle (PAD 59) comruter syatema. 


A. MCO Automated System 

• MCO ~ RTOO: five ISM computers for processing 

COATS: has four Uni vac computers for interfacing 

with the Goddard netvfork 

e Two of each computer set is dedicated to a mission at the MOO 

p Two ccmputers are active during critical mission 

phases (launch, insertion, rendezvous) 

\ 

o One is on-linej other is in dynamic stendby code 
o Both get the same inputs, however the outputs of the 
standby are not used 

o Ocaputar ststus is determined by console operator 
o Switching criteria is judgementel using procedures 
and console data 

o 1/anual switching only, with no automatic capability 
available; msec timeframe (no data loss at MOCR 
consoles);, breek-bef or e-make switchover 

• Computsr/MOCR console interface is simplex data bus 

• KOC/Goddard interface (CCATS) 

e Redundant lines; one active, one not used 

• Backup line carries test cessages to verify readiness 




■^SiU'-r.rjO 


- 99 “ 


Regote Site AutO!2^ted Syeteg 
■ BSMOrs SITES 

• Two boffiputera: One uplink (coiaeanda), one downlink (data or TH) 

® Dedicated by function, no redundancy 

© Realtiae reconfiguration after failure, active computer 
does one function • • 

e Both computers can. do- either function but not simultaneously. 
0 Remote site/Goddard interface 

• One line 

• Realtime backup using alternate 33LL” lines 

C« KSC Saturn Launch Vehicle (PtlD 39 ) Automated System 
. • Twp RCA IlOA coaputere: 1 in HIT (Launch Umbilical Tower) 

1 in LCC (Launch Control Center) 

© Not redundant 

* Two.LCC/LUT data buses: 1 ective'(in linss^) 

1 passive 

© Passive line verification at system turn-on 

• Automatic switchover to the backup bus after two 
unsuccessful attempts to transfer date (does not 
switch back) 

e Hardline (5 miles) backup for critical functions* 




- 100 - 



